Using OAuth 2.0 with the Core API

You may have heard that OAuth 2.0 simplifies development and provides better support for mobile apps. That’s why we announced OAuth 2.0 on the Core API at DBX this week. Most of the official Core API SDKs include OAuth 2.0 support already, so the best way to take advantage of OAuth 2.0 in your app is to use one of those libraries.

That said, you can easily implement the protocol yourself if you need to. The Core API supports both the “code grant” (for apps with a server-side component like web apps) and the “implicit grant” (for client-side apps like mobile or JavaScript apps).

Let’s dive in!

Using the code grant

Step 1: Begin authorization

You should use the state parameter to prevent cross-site request forgery (CSRF) attacks on your app. Our SDKs generate a CSRF token by base-64 encoding a secure 16-byte random number, and we store a copy in the user’s session.

After the user has authorized your app, they’ll be sent to your redirect URI, with a few query parameters: